Oathkeeper duplicates CORS headers
kamilkloch opened this issue · 6 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
We are using oathkeeper and kratos services.
When oathkeeper CORS config looks as follows:
cors:
enabled: true
allowed_origins:
- "https://ui-admin.our-company.com"
then the request
curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'
produces the following output in the headers:
access-control-allow-credentials: true
access-control-allow-credentials: true
access-control-allow-origin: https://ui-admin.our-company.com
access-control-allow-origin: https://ui-admin.our-company.com
vary: Origin
vary: Origin
oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).
This is quite problematic, as it breaks CORS requests issued by the browser: https://crashtest-security.com/multiple-values-access-control-allow-origin/
"While the header does support multiple origins, browsers usually do not. "
Reproducing the bug
curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'
Relevant log output
No response
Relevant configuration
cors:
enabled: true
allowed_origins:
- "https://ui-admin.our-company.com"
Version
0.40.2
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
I have experienced the same problem.
oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).
This could be avoided if we could strip upstream headers, however there doesn't seem like there's a supported way to do this.
Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?
turn of in oathkeeper, turn on in upstream)
this way you will not have correct cors if client send request with incorrect or expired session
Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?
We turned off CORS header for oathkeeper, but the error handler gets CORS error ...
Could we enable oathkeeper to configure CORS headers only for error handlers?
As a workaround or final solution (based how you see it), you could disable CORS for oathkeeper and handle CORS by a proxy as @aeneasr suggested. Based on your proxy implementation, you could then remove the upstream headers in the proxy itself for these upstream services that do not support the disabling of CORS. Nginx allows that with proxy_hide_header
as example. I know caddy supports it also, maybe others as well.